Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-10-20 10:33:33 +02:00
parent f7483b7d78
commit 188d591650
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
malwaresh.pl
View File

@@ -1325,10 +1325,23 @@ my @regexen = (
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,
qr/<script language=javascript>var _0xfcc4=\[\"\\x66.+?true\)\{a\(\)\}\}<\/script>/is,
qr/<\?php if\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\{ if\(md5\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\) === \"([A-z0-9_]{20,})\"\) \{ eval\(base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\); \}\} \?>/is,
qr/<\?php\s+set_time_limit\(300\);\s+function getRoot\(\$urlPath, \$scriptPath\) \{.+?foreach\(\$dirs as \$dir\) \{\s+\$f = \"\$dir\/index\.php\";\s+if \(is_writable\(\$f\)\) \{\s+echo \"<kuku>\$f<\/kuku>\";\s+\}\s+\}\s+\?>/is,
qr/<\?php \$a=base64_decode\(.+?\);\@eval\(\$a\); \?>/is,
qr/<\?php\s+if \(\!isset\(\$_COOKIE\[\'([A-z0-9_]{20,})\'\]\)\) \{header\(\'HTTP\/1\.0 404 Not Found\'\);exit;\} \?>/is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'1\';\s+\$([A-z0-9_]{1,20})=base64_decode\(.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x7a\\x72\\x5f\\x7a\\x5f\\x7a\\x72\\x5f\\x7a\\x72\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \"\/.+?\";function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+\/\*\*\s+\* SAPE\.ru.+?class SAPE_base.+?function get_sape\(\) \{\s+\$ne = new SAPE_client\(\);\s+return \'<div style=\"position\:absolute;overflow\:auto;width\:0\">\'\.\$ne->return_links\(3\)\.\'<\/div>\';\s+\}/is,
qr/<\?php\s+\/\/Bksmile \*\*\(RooTTN\)\*\*.+?\@\$passwd = file_get_contents\(\'\/home\/\'\.\$user\.\'\/etc\/\'\.\$t\.\'\/shadow\'\);.+?fclose\(\$connection\);\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$testa = \$_POST\[\'veio\'\];\s+if\(\$testa \!= \"\"\) \{.+?<\?php echo \$OS = \@PHP_OS; \?><\/span><\/p><\/td>\s+<\/tr>\s+<\/table>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+\* webadmin\.php - a simple Web-based file manager.+?<td colspan=\"\' \. \$cols \. \'\">\' \. phrase\(\$phrase, \$args\) \. \'<\/td>\s+<\/tr>\s+\';\s+\}\s+\?>/is,
qr/<\?php\s+\@set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'send\'\]\)\)\s+\{.+?OYA PUT YOUR LETTER BEFORE YOU SPAM.+?\$voy\+\+;\s+\}\s+\?><\/DIV>\s+<\/div>\s+<\/form>/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42ALS\"\}.+?if\(SERVICEMODE\)echo\$\{\$\{\"\\x47\\x4cO\\x42\\x41\\x4cS\"\}\[\"\\x6f\\x68\\x63\\x6ar\\x72\\x70\\x62di\\x72\"\]\};echo \"<\/\\x62\\x6fd\\x79\\x3e\\n<\/html>\\n\";\$translation->End\(\)\;\s+?>/is,
qr/<\?php\s+if\(!defined\(\'_NET\'\)\)\s+\{\s+error_reporting\(0\);\s+\$NET=\'shl-ed1\';\s+define\(\'_NET\',\$NET\);.+?\$_SERVER\[\'SERVER_NAME\'\]\)\);echo \$pinj_57;exit;\}\}\}\}\s+\}\s+\/\*,\.\*\/\s+\?>/is,
qr/<\?php\s+mb_internal_encoding\(\"UTF-8\"\);\s+error_reporting\(0\);\s+\$DS=DIRECTORY_SEPARATOR;\s+if\(!isset\(\$ex_links\)\|\|!isset\(\$ex_redirect\)\).+?if\(!file_exists\(\$MYDIR\)\)\{\@mkdir\(\$MYDIR\);\}.+?\$mp_15=\$mp_15\+1;\}return \$mp_274;\} \?>/is,
);
my @base64_decodes = (